A graph-based threat intelligence analysis method for honeypot systems

An analysis method and intelligence technology, applied in the field of network security, can solve problems such as deep mining of inaccessible data, and achieve the effect of improving data processing efficiency, improving trapping efficiency, and ensuring security

Active Publication Date: 2021-09-21
广州锦行网络科技有限公司
View PDF2 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0006] Aiming at the problems existing in the above-mentioned prior art, the present invention discloses a graph-based honeypot system threat intelligence analysis method, which solves the problem that the existing technology cannot deeply mine the attack data collected by the honeypot system. This method is based on The graph model can further mine and analyze the potential connection in the attack data, so that users can further understand the attacker's attack method, provide a more accurate reference for the adjustment of the honeypot system architecture level, and also provide an effective tool for attack traceability and attack forensics. information reference

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A graph-based threat intelligence analysis method for honeypot systems
  • A graph-based threat intelligence analysis method for honeypot systems
  • A graph-based threat intelligence analysis method for honeypot systems

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0088] The process of mining and analyzing the correlation between the attack sources is as follows:

[0089] Select SAMPLE, SAMPLE_FUZZY, SAMPLE_NAME, URL, TOOL_PAYLOAD nodes associated with IP nodes in the graph model;

[0090] Use the community discovery algorithm to mine and analyze the community groups existing in the attack source IP attacking the honeypot system;

[0091] The frequent subgraph mining algorithm is used to dig out attack tools with high frequency of use by attack sources, and analyze the attack habits and attack levels of attack sources.

Embodiment 2

[0093] The fuzzy relationship mining and analysis process between the malicious files is as follows:

[0094] Select all SAMPLE_FUZZY nodes in the graph model;

[0095] Calculate the similarity of fuzzy hash values ​​between SAMPLE_FUZZY, for example, using a string similarity comparison algorithm to determine the similarity between two fuzzy hash values, thereby judging the similarity between two files;

[0096] Associate the SAMPLE_FUZZY nodes whose similarity is greater than the threshold to obtain the relationship between malicious files.

Embodiment 3

[0098] The mining and analysis process of the malicious file family derivative map is as follows:

[0099] Select all SAMPLE, SAMPLE_FUZZY, RELEASE_FIL and REALSE_FILE_FUZZY nodes in the graph model;

[0100] Based on the SAMPLE, SAMPLE_FUZZY, RELEASE_FIL and REALSE_FILE_FUZZY nodes, respectively calculate the node similarity of the hash value or fuzzy hash value between each node;

[0101] Associate the nodes whose node similarity is greater than the threshold to construct a family derivative graph of malicious files;

[0102] Based on the family derivation map of malicious files, the evolution and derivation process of malicious files can be analyzed, and the evolution and derivation process of attack tools and the technical capability level of attackers can be known.

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to a graph-based honeypot system threat intelligence analysis method, comprising the following steps: using the honeypot system to collect behavior data of attackers; analyzing and extracting meta-information and derivative information derived from the meta-information; constructing a graph model, Save to the graph database; threat intelligence mining and analysis; provide the mining and analysis interface of the relationship between nodes, mining and analyzing the node information specified by the user, this method solves the problem that the existing technology cannot deeply mine the attack data collected by the honeypot system Problems can further mine and analyze the potential links in the attack data, understand the attacker's attack methods, provide a more accurate reference for the adjustment of the honeypot system architecture level, and provide effective information reference for attack traceability and attack forensics.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a graph-based honeypot system threat intelligence analysis method. Background technique [0002] With the rapid development of computer technology, information network has become an important guarantee for social development. Therefore, it is very important to ensure the security of information network. Therefore, it is necessary to formulate corresponding protection measures for various attack methods on the network to avoid network attacks. However, the premise of formulating the corresponding protection measures is to first understand the attacker's attack methods, but most of the attacker's methods are destructive. Therefore, in order to collect a large amount of attack data, honeypot technology is widely used in network security technology. Honeypot technology is essentially a technology to deceive the attacker. By arranging some hosts, network services or informati...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Patents(China)
IPC IPC(8): G06F16/2458H04L29/06
CPCG06F2216/03G06F16/2465H04L63/1408H04L63/1491
Inventor 吴建亮胡鹏刘顺明
Owner 广州锦行网络科技有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products